today i tried to change the used cipher from aes-256-cbc + sha1 to aes-128 + sha-256 and my iOS OpenVPN-App worked for both (even that it had the config for the old aes256/sha1 config). In the Live log i saw the following for the new connection.
Question 1: Does this on-demand change also work for desktop vpn tools (Tunnelblick with OpenVPN 2.3+)
Question 2: Does the connection now really use the server preferences and not what the client has in its config?
Live Log output after the change (only the warnings differed from the old connection):
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1558'
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
2015:03:25-15:52:36 gateway openvpn[3695]: 80.187.97.1:4229 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Can i just use the new config for all clients (see Q1/Q2) and change the client-configs conveniently afterwards without interrupting their work in the first place?
THanks!
This thread was automatically locked due to age.
